Problem Definition

Due to regulatory reasons (such as SEA Rule 17a-4), some companies (especially those in the Finance industry) need to restrict a group of users from performing any actions that could be classified as a communication in order to prevent companies from having to capture and archive that communication data, which is also not currently feasible in Confluence Cloud today. There could be additional use cases for such a read-only group for the same or other industries.

Other users should not be able to send communications to the restricted group of users from Confluence Cloud.

Providing those users read-only access and preventing them from performing certain actions (e.g. creating / updating / deleting pages, comments, reactions, inline comments, blogs, sharing contents etc.) so that they can only view contents and navigate around is essential for affected companies to be able to migrate to Confluence Cloud.

Read-only access cannot be maintained at a large scale by relying on space administrators to prevent certain users from having write permissions, since the space admins usually do not know who is affected, and a user could be added or removed from that affected group at any time.

The Guest role does not fit the scenario since it allows an admin to assign the Guest permissions to perform actions, including those listed above, and Guests are only allowed access to one space at a time.

The read-only user group:

• purpose is not driven by conservation of licenses
• would require that users must be authenticated and not anonymous
• provisioning must be able to be done by an externally managed group, such as via Atlassian Guard, and apply across the Organization
• is not meant to grant access to all spaces
• users would still require space level view permissions in order to view contents
• access could never be elevated by any space permissions, page restriction, or any other permission granted elsewhere. For example: if a user in the read-only group is granted permissions in a space to create pages, the resulting user experience would remain read-only
• and its users should not be available in any user or group select list for example: at mentioning, Automation actors/owners, Sharing, etc.

These restrictions should be applied to UI, REST API, and any other way users may access Confluence Cloud.

The ideal solution would prevent this group of users from ever performing any actions other than navigating and viewing spaces to which they explicitly have view permissions.

Suggested Solution

Implement an Organization level, read-only group or role that removes the risk of allowing the assigned users to perform any actions other than viewing contents and navigating in Confluence Cloud.

Workaround

Currently there is no workaround available.